Being that SSL has been getting a fair amount of attention lately do to the Instagram debacle (http://techcrunch.com/2010/11/18/yet-another-hot-startup-leaves-a-gaping-security-hole-in-its-iphone-app/) and Firesheep exploit (http://techcrunch.com/2010/10/24/firesheep-in-wolves-clothing-app-lets-you-hack-into-twitter-facebook-accounts-easily/) I thought it might be interesting to spawn a discussion on SSL providers out there.<p>I typically use GeoTrust quick SSL for most E-Commerce applications but I was wondering what were some of the pluses and minuses (cost, support, time to deployment, etc) users in the community had experienced.
I use and like StartSSL for class one validation, which is free, though the class one certs are only for single hosts. (Don't forget to load the intermediate certificate in the web server config, or Firefox will act like there's no root cert loaded.)<p>Class two validation, supporting wildcart certs, is available, but requires high-resolution documentation of personal identity, resubmitted annually and kept on file outside my legal jurisdiction (Startcom is based in Israel), until seven years after the certificate's eventual expiration or revocation, which rounds up to forever.<p>I admire Start's model of charging only for actions that require human intervention, like identity validation, but I can't bring myself to have faith that their current trustworthiness precludes being acquired or compromised in the distant future. It's aggravating that organizational validation (for wildcard or EV certs) is layered on top of individual validation, meaning that an individual's ID always has to be on file.
If you are concerned for speed, you want to go with one of the "big boys" to get a cert that is closer to the root the browser trusts. The more intermediate certificates you have to supply, the more the client has to download to complete hand-shake, and you should strive to keep it under 4k to avoid overflowing the initial TCP window (which would then require another round-trip).
In order of preference:<p>1) GeoTrust
2) Comodo
3) Thawte<p>Although many cert providers tout wide browser acceptance, you may find discrepancies in production. Be careful. GeoTrust has excellent customer service, decently priced certs, and an automated/expedited process. No affiliation.
GoDaddy makes SSL certs really easy if you have the domain registered with then too. Hot tip: type "ssl cert" into google and click on their ad instead of going straight to their site - $12 vs $49. If you have your domain name, it's basically as easy as upload your CSR text, download your cert. Could be done in about 5 mins.<p>Of course, that raises a question I have...what's the difference, if any, between their cheap ssl certa and their $99 "premium" ones?
Why do we have to have ssl cert providers? I understand when you're doing ecommerce, it makes sense. But for a website that is just trying to do SSL to get past firesheep, or simply because they are transmitting sensitive information, doesn't it make sense to allow them to just encrypt their traffic?<p>To answer the actual question, we use godaddy.
I use GeoCerts<p><a href="https://www.geocerts.com" rel="nofollow">https://www.geocerts.com</a><p>I've bought and installed about a dozen different certificates from them, even some of the high-ticket ones that need a background check during the application stage.<p>Interface is good, price is right. No complaints.
StartSSL (<a href="http://www.startssl.com/" rel="nofollow">http://www.startssl.com/</a>) is super rad. Basic certs are free; wildcards are only $50; their validation isn't a joke; and they are a trusted CA on Firefox, Safari, and IE.
Check your hosting company, they may have a deal to resell certificates and may provide installation for you. I got a certificate significantly cheaper than listed on the GeoTrust site.
I use servertastic <a href="https://www.servertastic.com/ssl-certificates/" rel="nofollow">https://www.servertastic.com/ssl-certificates/</a> usually with the RapidSSL one: <a href="https://www.servertastic.com/order/rapidssl/" rel="nofollow">https://www.servertastic.com/order/rapidssl/</a> Servertasic resells from a large number of SSL providers. Avoid GoDaddy to avoid the cert chaining headache.
Most of the certificates I use are self-signed. For the others, I get them through Gandi (a 1-year certificate is included with each domain registration) and my webhost, SoftLayer (they resell RapidSSL certificates for $20 a year).<p><a href="http://www.gandi.net" rel="nofollow">http://www.gandi.net</a><p><a href="http://www.softlayer.com" rel="nofollow">http://www.softlayer.com</a>
Myself. I run my own CA for internal use and sign all my own certs, and occasionally those for customers. This works only because I generally control all the devices that the certs will be used on - I wouldn't use this on public facing sites.<p>Wildcard certs are expensive last I checked, but simply too useful to ignore.
From a conversion rate standpoint not much seems to beat verisign - although GoDaddy SSL seems to be making gains.<p>Also see "Proper placement of "trust logos" can make a huge difference in conversion rate." :<p><a href="http://conversionvoodoo.com/blog/2010/07/proper-placement-of-trust-logos-can-make-a-huge-difference-in-conversion-rate/" rel="nofollow">http://conversionvoodoo.com/blog/2010/07/proper-placement-of...</a>
Verisign. They are probably the most expensive CA available, but they are absolutely worth it if you ever intend to provide secure user sessions to the proverbial Aunt Millie.<p>Their identification verification process is fully automated now( phone + web ), so most certificates are issued within a few hours of CSR submission.